Biz & IT —

Google opens source code for software updater

Google has opened the source code of the tool that it uses on the Windows …

Google Update, a small program that the search giant uses to deploy new versions of its software to end-users on Windows, is now open for public scrutiny. Google has released the source code of the program, which is codenamed Omaha, under the open source Apache Software License.

Pushing patches to a large user population is a non-trivial technical problem. It's especially hard to make an updater that isn't disruptive or irritating. Google's updater operates silently in the background and seamlessly updates programs—including Chrome and Google Earth—as needed. Although it doesn't have the annoyance factor of some other update utilities, its stealthy behavior has raised some concerns among privacy advocates.

It's hard to trust an opaque process that runs all the time and can't easily be removed—especially when it comes from a company that is perpetually embroiled in controversy over privacy issues. To quell these concerns and provide greater insight into the behavior of its hidden updater, Google decided to make the source code available for public scrutiny.

Beyond revealing what Google Update actually does, the code could potentially be repurposed by other software developers who are seeking to build their own update systems. I became intrigued with this idea when open source consultant Jeff Waugh posited that Omaha could hypothetically provide a foundation for building a unified update infrastructure for open source applications on Windows.

On the Linux platform, distributors typically use sophisticated package management systems to deploy new software and updates. On Windows, however, there is no standardized framework for enabling third-party applications to push updates over the air. Open source application developers have to each roll their own update tool or depend on users to manually download and install new versions. Linux enthusiasts who use Windows know how frustrating it is to have to manually download and install fresh versions of Gimp, Inkscape, Pidgin, GVim, and many other tools on those occasions when they boot to Windows. It's possible that a better solution be achieved by forking Omaha and using its source code as the basis for a new, shared update system.

It's still a bit too early to tell whether the newly released code will be useful to third-party developers. I started poking through the source code myself, and ran into some minor roadblocks. Most of the dependencies aren't problematic, and I already had most of them installed on my Windows XP virtual machine. The list includes Python 2.4, SCons, the Windows Template Library, and .NET 2.0. The first roadblock that I encountered is that Omaha won't build with Visual Studio 2008—it requires an older version. This problem is documented in the project's wiki and issue tracker. Google says that third-party developers are welcome to "contribute change to make it build with newer versions."

The project's documentation also leaves a lot to be desired. There isn't much of it yet and the project's architecture isn't immediately intuitive. The code is, however, relatively well commented. Many of the source files have useful explanatory blurbs that describe their purpose. The deficiencies that I have noted here aren't really bad or surprising—they are somewhat typical of internal projects that are opened to public scrutiny. In time, some third-party involvement and a bit of tidying up could enable developers to repurpose it and integrate it with other software, but it's not entirely ready to be plugged into other programs right out of the box.

Google's decision to open the source code is already fulfilling its primary function, which is to give users a clearer understanding of what the updater does. For example, you can see which metrics the updater transmits to Google when users opt in to sending usage statistics. It primarily includes Windows version information and details about the number of crashes the user has experienced. You can also see how the crash handler automatically generates and submits reports.

This level of transparency is a good step forward for Google and it's a move that one can hope other companies will follow. It will provide privacy watchdogs with a means of understanding how the updater works so that they can verify that it is behaving as advertised.